An insider threat detection method based on improved Test-Time Training model

Xiaoling Tao , Jianxiang Liu , Yuelin Yu , Haijing Zhang , Ying Huang

High-Confidence Computing ›› 2025, Vol. 5 ›› Issue (1) : 100283

PDF (997KB)
High-Confidence Computing ›› 2025, Vol. 5 ›› Issue (1) : 100283 DOI: 10.1016/j.hcc.2024.100283
Research Articles
research-article

An insider threat detection method based on improved Test-Time Training model

Author information +
History +
PDF (997KB)

Abstract

As network and information systems become widely adopted across industries, cybersecurity concerns have grown more prominent. Among these concerns, insider threats are considered particularly covert and destructive. Insider threats refer to malicious insiders exploiting privileged access to networks, systems, and data to intentionally compromise organizational security. Detecting these threats is challenging due to the complexity and variability of user behavior data, combined with the subtle and covert nature of insider actions. Traditional detection methods often fail to capture both long-term dependencies and short-term fluctuations in time-series data, which are crucial for identifying anomalous behaviors. To address these issues, this paper introduces the Test-Time Training (TTT) model for the first time in the field of insider threat detection, and proposes a detection method based on the TTT-ECA-ResNet model. First, the dataset is preprocessed. TTT is applied to extract long-term dependencies in features, effectively capturing dynamic sequence changes. The Residual Network, incorporating the Efficient Channel Attention mechanism, is used to extract local feature patterns, capturing relationships between different positions in time-series data. Finally, a Linear layer is employed for more precise detection of insider threats. The proposed approaches were evaluated using the CMU CERT Insider Threat Dataset, achieving an AUC of 98.75% and an F1-score of 96.81%. The experimental results demonstrate the effectiveness of the proposed methods, outperforming other state-of-the-art approaches.

Keywords

Insider threats / Test-Time training / Residual network / Efficient channel attention mechanism

Cite this article

Download citation ▾
Xiaoling Tao, Jianxiang Liu, Yuelin Yu, Haijing Zhang, Ying Huang. An insider threat detection method based on improved Test-Time Training model. High-Confidence Computing, 2025, 5(1): 100283 DOI:10.1016/j.hcc.2024.100283

登录浏览全文

4963

注册一个新账户 忘记密码

CRediT authorship contribution statement

Xiaoling Tao: Validation, Supervision, Project administration, Investigation, Funding acquisition. Jianxiang Liu: Writing - review & editing, Writing - original draft, Visualization, Software, Methodology, Data curation, Conceptualization. Yuelin Yu: Writing - review & editing, Validation, Formal analysis. Haijing Zhang: Writing - review & editing, Validation, Formal analysis. Ying Huang: Writing - review & editing, Validation, Formal analysis.

Declaration of competing interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Acknowledgments

This work was supported by the National Natural Science Foundation of China (62472118), and the Central Guidance on Local Science and Technology Development Fund of Guangxi Province (ZY23055008), and the Guangxi Science and Technology Program (AB24010315), and the Innovation Project of Guangxi Graduate Education, China (YCSW2024325).

References

Publishing order | Descend order by publishing year | Descend order by cited within
[1]

D.L. Costa, M.J. Albrethsen, M.L. Collins, S.J. Perl, G.J. Silowash, D.L. Spooner, An Insider Threat Indicator Ontology, Technical Report CMU/SEI-2016-TR-007, Software Engineering Institute, Carnegie Mellon University, 2016.
[2]

Cybersecurity Insiders, 2024 insider threat report, 2024, [EB/OL], 2024-03-25, https://www.cybersecurity-insiders.com/portfolio/2024-insider-threat-report-securonix.
[3]

Ponemon Institute, 2023 cost of insider threats global report, 2024, [EB/OL], 2024-02-07, https://www.bankinfosecurity.com/whitepapers/2023-ponemon-cost-insider-threats-global-report-w-10798.
[4]

N. Garba, S. Rakshit, C.D. Mang, N.R. Vajjhala, An email content-based insider threat detection model using anomaly detection algorithms, in:Proceedings of the International Conference on Innovative Computing & Communication, ICICC, 2021.
[5]

X. Ye, M.-M. Han, An improved feature extraction algorithm for insider threat using hidden Markov model on user behavior detection, Inf. Comput. Secur. 30 (1) (2022) 19-36.
[6]

D.C. Le, N. Zincir-Heywood, Anomaly detection for insider threats using unsupervised ensembles, IEEE Trans. Netw. Serv. Manag. 18 (2) (2021) 1152-1164.
[7]

J. Lu, R.K. Wong, Insider threat detection with long short-term memory, in:Proceedings of the Australasian Computer Science Week Multiconference, 2019, pp. 1-10.
[8]

D.C. Le, N. Zincir-Heywood, M.I. Heywood, Analyzing data granularity levels for insider threat detection using machine learning, IEEE Trans. Netw. Serv. Manag. 17 (1) (2020) 30-44.
[9]

F. Zhang, H. A.D.E. Kodituwakku, J.W. Hines, J. Coble, Multilayer data-driven cyber-attack detection system for industrial control systems based on network, system, and process data, IEEE Trans. Ind. Inform. 15 (7) (2019) 4362-4369.
[10]

R. Ranjan, S.S. Kumar, User behaviour analysis using data analytics and machine learning to predict malicious user versus legitimate user, High-Confid. Comput. (ISSN: 2667-2952) 2 (1) (2022) 100034.
[11]

L. Liu, O. De Vel, C. Chen, J. Zhang, Y. Xiang,Anomaly-based insider threat detection using deep autoencoders, in: 2018 IEEE International Conference on Data Mining Workshops, ICDMW, IEEE, 2018, pp. 39-48.
[12]

M. Singh, B.M. Mehtre, S. Sangeetha,User behavior profiling using ensemble approach for insider threat detection, in: 2019 IEEE 5th International Conference on Identity, Security, and Behavior Analysis, ISBA, IEEE, 2019, pp. 1-8.
[13]

F. Yuan, Y. Shang, Y. Liu, Y. Cao, J. Tan,Data augmentation for insider threat detection with GAN, in: 2020 IEEE 32nd International Conference on Tools with Artificial Intelligence, ICTAI, IEEE, 2020, pp. 632-638.
[14]

R. Nasir, M. Afzal, R. Latif, W. Iqbal, Behavioral based insider threat detection using deep learning, IEEE Access 9 (2021) 143266-143274.
[15]

M.N. Al-Mhiqani, R. Ahmed, Z.Z. Abidin, S. Isnin, An integrated imbalanced learning and deep neural network model for insider threat detection, Int. J. Adv. Comput. Sci. Appl. 12 (1) (2021).
[16]

D. Li, L. Yang, H. Zhang, X. Wang, L. Ma, J. Xiao, Image-based insider threat detection via geometric transformation, Secur. Commun. Netw. 2021 (1) (2021) 1777536.
[17]

D. Sun, M. Liu, M. Li, Z. Shi, P. Liu, X. Wang,DeepMIT: a novel malicious insider threat detection framework based on recurrent neural network, in: 2021 IEEE 24th International Conference on Computer Supported Cooperative Work in Design, CSCWD, IEEE, 2021, pp. 335-341.
[18]

Q. Wang, B. Wu, P. Zhu, P. Li, W. Zuo, Q. Hu, ECA-net: Efficient channel attention for deep convolutional neural networks,in:Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2020, pp. 11534-11542.
[19]

K. He, X. Zhang, S. Ren, J. Sun, Deep residual learning for image recognition, in:Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2016, pp. 770-778.
[20]

Y. Sun, X. Li, K. Dalal, J. Xu, A. Vikram, G. Zhang, Y. Dubois, X. Chen, X. Wang, S. Koyejo, et al., Learning to (learn at test time): Rnns with expressive hidden states, 2024, arXiv preprint arXiv:2407.04620.
[21]

X. Tao, Y. Yu, L. Fu, J. Liu, Y. Zhang, An insider user authentication method based on improved temporal convolutional network, High-Confid. Comput. (ISSN: 2667-2952) 3 (4) (2023) 100169.
[22]

J. Glasser, B. Lindauer,Bridging the gap: A pragmatic approach to generating insider threat data, in: 2013 IEEE Security and Privacy Workshops, IEEE, 2013, pp. 98-104.
[23]

B. Lindauer, J. Glasser, M. Rosen, K.C. Wallnau, L. ExactData, Generating test data for insider threat detectors., J. Wirel. Mob. Netw. Ubiquitous Comput. Dependable Appl. 5 (2) (2014) 80-94.
[24]

F. Guanyun, F. Cai, L. Jianqiang, H. Lansheng, Insider threat detection based on operational attention and data augmentation., Chin. J. Netw. Inf. Secur. 9 (3) (2023).
[25]

W. Huang, H. Zhu, C. Li, Q. Lv, Y. Wang, H. Yang,Itdbert: Temporalsemantic representation for insider threat detection, in: 2021 IEEE Symposium on Computers and Communications, ISCC, IEEE, 2021, pp. 1-7.
[26]

M. Singh, B.M. Mehtre, S. Sangeetha, V. Govindaraju, User behaviour based insider threat detection using a hybrid learning approach, J. Ambient Intell. Humaniz. Comput. 14 (4) (2023) 4573-4593.
[27]

Z.Q. Wang, A. El Saddik, DTITD: An intelligent insider threat detection framework based on digital twin and self-attention based deep learning models, IEEE Access (2023).
[28]

F. Meng, F. Lou, Y. Fu, Z. Tian,Deep learning based attribute classification insider threat detection for data security, in: 2018 IEEE Third International Conference on Data Science in Cyberspace, DSC, IEEE, 2018, pp. 576-581.
AI Summary AI Mindmap
PDF (997KB)

496

Accesses

0

Citation

Detail
Sections
Recommended

AI思维导图

/